Mixed content warnings appear when your HTTPS site loads resources over HTTP. Here is how to find and fix every instance.
Step 1: Find All Mixed Content
Run an InspectWP scan — the HTML section lists all insecure URLs found on your page. You can also open your browser's developer console (F12) and look for mixed content warnings.
Step 2: Update WordPress URLs
In Settings → General, make sure both the WordPress Address and Site Address use https://.
Step 3: Search and Replace in Database
The most effective way to fix hardcoded HTTP URLs in post content, widget text, and custom fields is a search-and-replace operation:
# Using WP-CLI (recommended)
wp search-replace 'http://example.com' 'https://example.com' --all-tables --dry-run
# If the dry run looks correct, run without --dry-run
wp search-replace 'http://example.com' 'https://example.com' --all-tablesAlternatively, use the Better Search Replace plugin for a GUI-based approach.
Step 4: Fix Theme and Plugin Files
Search your theme files for hardcoded http:// URLs and replace them with https:// or protocol-relative //.
Step 5: Add a Catch-All Redirect
Ensure all HTTP requests redirect to HTTPS:
# .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Step 6: Force HTTPS in wp-config.php
define('FORCE_SSL_ADMIN', true);
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}Verify with InspectWP
After making changes, run a new InspectWP scan. The insecure URLs list should be empty.